Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
SQL permission & Security Audit
#1
Hi, everybody,
I write here on behalf of my company because it is conducting a security audit on internal systems, in particular I am in charge of managing sql server so I have to ask technical questions to the team regarding the software ASG Remote Desktop.

Currently our ASG-Remote Desktop installation connects to the sql server with a sql login that is db_owner of the application's db.

These are the questions I have to ask you:
- What are the minimum sql grants that the application needs to operate properly? (is the db_owner role of the application's db enough?)
- Does the application need sysadmin rights to operate correctly?
- The application uses the account sa?
- Which owner should have the applications's dbs?
- Does the application use the CLR Integration Assemblies functionality? If no, can we disable it?

"Application Security is the responsibility of the Application development and Support teams. Application teams are encouraged to follow Microsoft guidelines to enforce best practices. Microsoft Security considerations can be found at: http://msdn.microsoft.com/en-us/library/bb510589.aspx
An example of the best practices to reduce the effects of SQL Injection attacks can be found at: http://msdn.microsoft.com/en-us/library/ms161953.aspx"
- Are MS's best practices in software security already applied?

Thanks
Reply
#2
I think mostly is answered in documentation - just read the chapter "Working with environments=>Working in database mode=>Necessary permissions on SQL server instance"

Which user you are using depends on how you setup the database connection - like Integrated or a special db-User...

And no - CLR is not used and can be deactivated

We didn't check the guidelines from MS - but we do mostly use only standard SQL!
Regards/Gruss
Oliver
Reply
#3
(06-07-2020, 11:57 AM)DevOma Wrote: I think mostly is answered in documentation - just read the chapter "Working with environments=>Working in database mode=>Necessary permissions on SQL server instance"

Which user you are using depends on how you setup the database connection - like Integrated or a special db-User...

And no - CLR is not used and can be deactivated

We didn't check the guidelines from MS - but we do mostly use only standard SQL!

Thank you, where can I find the documentation you mentioned?
Reply
#4
Just press F1 inside the application (ASGRD) - is part of the installation
Regards/Gruss
Oliver
Reply




Users browsing this thread: 1 Guest(s)